The Linux Administration group is for the discussion of technical issues technical issues that arise during the administration of Linux systems, including maintaining the operating system and supporting end-user applications.

Assuming that you have a single firewall in your network that can support
multiple security zones. You can segregate the servers in multiple security
zones as shown in the attached diagram. With this architecture you can
segregate the servers and allow only required TCP/UDP ports from outside
(internet) or inside (internal) network. Typically you'd need 5 different
zones for a baseline network segregation (see the attached diagram). A brief
overview of suggested zones:

You'd allow only TCP/UDP ports required to access the application from any
user (inside/outside) zone to DMZ or Internal server zone. You'd allow only
app server in DMZ and Internal zone to access the DB hosted in the DB zone
server. Users will not have direct access to the DB but only through one of
the App servers.

Let me know if this works for you.

Regards,
Mustufa

Help the community by fixing grammatical or spelling errors, summarizing or clarifying the solution, and adding supporting information or resources. Always respect the original author.

Is your DMZ going to be setup with single or dual firewall config?
Basically, you will need to decide what kind of traffic will be allowed between the DMZ and your network. Lock down all other traffic on the router/firewall separating your DMZ from your LAN.

You will want to put your DB behind the dmz, not in it. Punch a hole for
the app servers to connect to the db... dbs are juicy targets, dont put them
in a DMZ of you can avoid it. App servers and DB need to be hardened, turn
off root, config your ssh to allow only specific IP's and users, make sure
it is patched. What type of load balancing are you using? Or are you using
it? Are these web apps or thick apps? Turn on SElinux and then auditing. I
would also install a HIDS like OSSEC. Internet facing apps give me the
willies. All kinds of attack vectors and ways to forget to turn something
off or on. It usually takes me 2-3 weeks to thoroughly test a system to
make sure it has a reduced attack surface area and I never do the audit
myself, find your best guy and have him pick it apart. Make sure once you
have this all in place you dont get complacent and forget to browse and pen
test the system at least once every quarter or every other quarter.

Make sure you turn off any unnecessary services and all broadcasting and
identifying configurations. This box should be indistinguishable form a
outside perspective. If they know the flavors of your hardware and software
it's just a matter of time for them to get in. If I sound paranoid, good, you
should be too. I would rather be stranded in the great barrier reef or
Indian ocean (it's safer) then wide open on the interwebz.

Thanks!! But may I know why not we put all together in DMZ zone? Is there any diagram since I do have one APP 1 server need to access internally + one App 2 server can access from outside, but both server access same one DB server?

Assuming that you have a single firewall in your network that can support
multiple security zones. You can segregate the servers in multiple security
zones as shown in the attached diagram. With this architecture you can
segregate the servers and allow only required TCP/UDP ports from outside
(internet) or inside (internal) network. Typically you'd need 5 different
zones for a baseline network segregation (see the attached diagram). A brief
overview of suggested zones:

You'd allow only TCP/UDP ports required to access the application from any
user (inside/outside) zone to DMZ or Internal server zone. You'd allow only
app server in DMZ and Internal zone to access the DB hosted in the DB zone
server. Users will not have direct access to the DB but only through one of
the App servers.

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.